SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Is TikTok reading your clipboard?

Posted on June 30, 2020

TikTok has been caught snooping on iOS users’ clipboard data. The video-sharing app’s troubling behavior was discovered thanks to a new privacy feature in iOS 14. In this short piece, we’ll provide some more detail about what happened, offer a bit of context to the story, and discuss the wider issue of user privacy on iOS.

TikTok, iOS 14, and your data

Apple recently announced iOS 14 at its 2020 Worldwide Developers Conference, and has now released the first beta version for testing. The new iOS comes equipped with several important privacy enhancements, one of which alerted beta testers to TikTok’s behind-the-scenes activities.

In iOS 14, users receive a banner notification whenever an app pastes from the system clipboard, thus letting them know that the clipboard is being accessed. Users of the iOS 14 beta noticed that whenever they were on TikTok, they received an almost constant stream of banner notifications — indicating that something untoward was going on with TikTok and the iOS clipboard.

TikTok’s public response

After reports about the issue began to surface, TikTok issued a statement in which they said that the banner alerts were caused by an anti-spam feature in the app, and that they would remove the feature in order to “prevent misunderstanding”. At the time of writing, TikTok developers have submitted an updated version of the app — minus the offending feature — to the App Store. It’s worth noting that TikTok’s parent company, ByteDance, had already been confronted about the app’s clipboard usage earlier in the year, and had told journalists that it would discontinue the practice “within weeks”. This does not appear to have happened. 

TikTok’s problematic history

This incident isn’t TikTok’s first brush with controversy. Last year, the U.S. government launched a national security review of ByteDance, which is headquartered in Beijing, in part due to concerns over political censorship and handling of user data on TikTok. Shortly thereafter, the U.S. Army and Navy issued a ban on TikTok for all service members, flagging the app as a potential cybersecurity threat. More recently, the European Data Protection Board created a special task force to investigate TikTok’s privacy practices.

TikTok has also drawn criticism on ethical grounds, with a group of U.S. Senators calling for yet another probe into the app over allegations that it is mishandling videos created by minors and violating parental consent regulations. Journalists have also reported that TikTok encourages its moderators to suppress content produced by disabled and economically disadvantaged users, as well as by users deemed too unattractive for inclusion in the app’s curated “For You” feed.

It’s not just TikTok 

While there are plenty of reasons to be wary of installing TikTok on your device, it’s certainly not the only app that plays fast and loose with user clipboard data: A recent report found 53 other apps engaging in similarly intrusive monitoring of iOS users’ clipboards. 

The issue is also not a new one. The security researchers who first discovered that TikTok and other popular apps were reading iOS clipboard data without consent published their findings months ago. An even earlier report by the same researchers demonstrated how photo metadata stored on the clipboard could be used by malicious apps to infer a user’s location without their consent.

Fortunately, Apple appears to be taking the issue seriously, and listening to feedback from the security research community (as evidenced by features like the new iOS 14 banner alert whenever apps use the clipboard). While the new iOS probably won’t see wide release until sometime in September, it’s good to know that help is on the way. In the meantime, be mindful of what apps you’re installing on your device, take any data usage and access request alerts seriously — and never install anything from a developer that you don’t know and trust with your data.

Join our mailing list for the latest security news and deals